From 583e7e6d123d23593c179fefa95f9fae19319e29 Mon Sep 17 00:00:00 2001
From: Simon Leary <simon.leary42@proton.me>
Date: Wed, 14 Jan 2026 10:57:36 -0500
Subject: [PATCH] allow multiple groups for one user flag

---
 README.md                   |  6 ++++++
 defaults/config.ini.default | 13 ++++++++-----
 resources/lib/UnityLDAP.php | 10 ++++++++--
 resources/lib/UnityUser.php | 11 ++++++++---
 4 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 00bf655b3..ae8d67be8 100644
--- a/README.md
+++ b/README.md
@@ -123,6 +123,12 @@ rm "$prod" && ln -s "$old" "$prod"
 
 ### Version-specific update instructions:
 
+### 1.6 -> 1.7
+
+- the `[ldap]user_flag_groups` option has been moved to `[ldap_user_flag_groups]`
+- each user flag group can now optionally be an array
+  - if there are multiple groups for a user flag, all groups are used to check for the flag, but only the 1st group is used to enable/disable a flag for a user
+
 ### 1.5 -> 1.6
 
 - the `[site]getting_started_url` option should be defined
diff --git a/defaults/config.ini.default b/defaults/config.ini.default
index af44d9ed5..7fa40e1f6 100644
--- a/defaults/config.ini.default
+++ b/defaults/config.ini.default
@@ -35,17 +35,20 @@ def_user_shell = "/bin/bash"  ; Default shell for new users
 offset_UIDGID = 1000000 ; start point when allocating new UID/GID pairs for a new user
 offset_PIGID = 2000000 ; start point when allocating new GID for a new PI group
 offset_ORGGID = 3000000 ; start point when allocating new GID for a new org group
-user_flag_groups[admin] =      "cn=web_admins,dc=unityhpc,dc=test" ; admin user group dn
-user_flag_groups[ghost] =      "cn=ghost,dc=unityhpc,dc=test"      ; ghost user group dn
-user_flag_groups[idlelocked] = "cn=idlelocked,dc=unityhpc,dc=test" ; idlelocked user group dn
-user_flag_groups[locked] =     "cn=locked,dc=unityhpc,dc=test"     ; locked user group dn
-user_flag_groups[qualified] =  "cn=unityusers,dc=unityhpc,dc=test" ; qualified user group (in at least one PI group)
 allowed_ssh_key_types[] = ssh-rsa
 allowed_ssh_key_types[] = ecdsa-sha2-nistp256
 allowed_ssh_key_types[] = ecdsa-sha2-nistp384
 allowed_ssh_key_types[] = ecdsa-sha2-nistp521
 allowed_ssh_key_types[] = ssh-ed25519
 
+[ldap_user_flag_groups]
+admin =      "cn=web_admins,dc=unityhpc,dc=test" ; admin user group dn
+ghost =      "cn=ghost,dc=unityhpc,dc=test"      ; ghost user group dn
+idlelocked = "cn=idlelocked,dc=unityhpc,dc=test" ; idlelocked user group dn
+locked =     "cn=locked,dc=unityhpc,dc=test"     ; locked user group dn
+qualified[] =  "cn=unityusers,dc=unityhpc,dc=test" ; qualified user group
+qualified[] =  "cn=extra_qualifed,dc=unityhpc,dc=test" ; extra qualified user group
+
 [sql]
 host = "sql"  ; mariadb hostname
 user = "unity"  ; mariadb username
diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php
index 8831c4f3d..dbf434f84 100644
--- a/resources/lib/UnityLDAP.php
+++ b/resources/lib/UnityLDAP.php
@@ -58,8 +58,14 @@ public function __construct()
         $this->org_groupOU = $this->getEntry(CONFIG["ldap"]["orggroup_ou"]);
         $this->userFlagGroups = [];
         foreach (UserFlag::cases() as $flag) {
-            $dn = CONFIG["ldap"]["user_flag_groups"][$flag->value];
-            $this->userFlagGroups[$flag->value] = new PosixGroup(new LDAPEntry($this->conn, $dn));
+            $this->userFlagGroups[$flag->value] = [];
+            $DNs = (array) CONFIG["ldap_user_flag_groups"][$flag->value];
+            foreach ($DNs as $dn) {
+                array_push(
+                    $this->userFlagGroups[$flag->value],
+                    new PosixGroup(new LDAPEntry($this->conn, $dn)),
+                );
+            }
         }
     }
 
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
index bafe6571f..ebebfe0a7 100644
--- a/resources/lib/UnityUser.php
+++ b/resources/lib/UnityUser.php
@@ -90,7 +90,12 @@ public function init(
 
     public function getFlag(UserFlag $flag): bool
     {
-        return $this->LDAP->userFlagGroups[$flag->value]->memberUIDExists($this->uid);
+        foreach ($this->LDAP->userFlagGroups[$flag->value] as $group) {
+            if ($group->memberUIDExists($this->uid)) {
+                return true;
+            }
+        }
+        return false;
     }
 
     public function setFlag(
@@ -104,7 +109,7 @@ public function setFlag(
             return;
         }
         if ($newValue) {
-            $this->LDAP->userFlagGroups[$flag->value]->addMemberUID($this->uid);
+            $this->LDAP->userFlagGroups[$flag->value][0]->addMemberUID($this->uid);
             if ($doSendMail) {
                 $this->MAILER->sendMail($this->getMail(), "user_flag_added", [
                     "user" => $this->uid,
@@ -120,7 +125,7 @@ public function setFlag(
                 ]);
             }
         } else {
-            $this->LDAP->userFlagGroups[$flag->value]->removeMemberUID($this->uid);
+            $this->LDAP->userFlagGroups[$flag->value][0]->removeMemberUID($this->uid);
             if ($doSendMail) {
                 $this->MAILER->sendMail($this->getMail(), "user_flag_removed", [
                     "user" => $this->uid,